rynjer-image-generation Security Report — Low Risk | ClawSafe

15 /100

rynjer-image-generation

Agent-first marketing image generation skill with prompt rewrite, cost estimation, and image generation via Rynjer API

A legitimate image generation skill for agents with no malicious behavior; only minor documentation and version pinning issues detected.

Skill Namerynjer-image-generation

Duration45.3s

Enginepi

✓

Safe to install

Safe to use. Consider pinning package.json version and replacing the example credential placeholder in README.md with a clearer placeholder format.

Findings 2 items

Severity	Finding	Location
Low	Example credential placeholder in README Doc Mismatch README.md line 33 shows 'ACCESS_TOKEN="your_access_token_or_ryn_agent_v1_key"' as a usage example. This is clearly a placeholder with 'your_' prefix and no actual credential is exposed. `export RYNJER_ACCESS_TOKEN="your_access_token_or_ryn_agent_v1_key"` → Consider using a more obvious placeholder format like 'REPLACE_WITH_YOUR_TOKEN' to avoid confusion.	`README.md:33`
Low	package.json version not formally pinned Supply Chain package.json has version 0.1.0 but the package has no external dependencies (only Node.js built-ins), so there is no supply chain risk. `"version": "0.1.0"` → No action needed; no external dependencies exist.	`package.json:1`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	src/mock-runtime.js:9-27 makes HTTPS requests to rynjer.com API
Filesystem	`READ`	`READ`	✓ Aligned	src/mock-runtime.js:5-6 reads tools.json and templates.json
Shell	`NONE`	`NONE`	—	No shell execution found in codebase
Environment	`READ`	`READ`	✓ Aligned	src/mock-runtime.js:7-8 reads RYNJER_ACCESS_TOKEN, RYNJER_USE_LIVE, RYNJER_BASE_…
Skill Invoke	`READ`	`READ`	✓ Aligned	Skill exposes 5 tools: rewrite_image_prompt, estimate_image_cost, generate_image…
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser automation detected
Database	`NONE`	`NONE`	—	No database access detected

1 High 2 findings

🔑

High API Key 疑似硬编码凭证

ACCESS_TOKEN="your_access_token_or_ryn_agent_v1_key"

README.md:33

🔗

Medium External URL 外部 URL

https://rynjer.com

README.md:32

File Tree

14 files · 44.7 KB · 1590 lines

Markdown 9f · 893L JavaScript 1f · 436L JSON 4f · 261L

├─ ▾ 📁 examples

│ └─ 📋 happy-path.json JSON 32L · 963 B

├─ ▾ 📁 src

│ ├─ 📜 mock-runtime.js JavaScript 436L · 13.4 KB

│ ├─ 📋 templates.json JSON 78L · 2.6 KB

│ └─ 📋 tools.json JSON 136L · 5.0 KB

├─ ▾ 📁 templates

│ ├─ 📝 monetization-boundary.md Markdown 17L · 440 B

│ ├─ 📝 routing-policy.md Markdown 22L · 692 B

│ └─ 📝 use-cases.md Markdown 16L · 554 B

├─ 📝 CHANGELOG.md Markdown 20L · 912 B

├─ 📝 IMPLEMENTATION.md Markdown 168L · 3.9 KB

├─ 📋 package.json JSON 15L · 361 B

├─ 📝 PUBLISH.md Markdown 37L · 1.2 KB

├─ 📝 README.md Markdown 248L · 5.6 KB

├─ 📝 SCHEMA.md Markdown 125L · 2.4 KB

└─ 📝 SKILL.md Markdown 240L · 6.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`none`	`N/A`	builtin	No	Only uses Node.js built-in modules: https, fs, path - no external dependencies

Security Positives

✓ No shell execution or command injection vulnerabilities detected

✓ No credential harvesting or environment variable enumeration for exfiltration

✓ No base64 decoding, eval(), or obfuscated code execution

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No C2 communication or data exfiltration patterns

✓ Uses only Node.js built-in modules (https, fs, path) - no supply chain risk

✓ API authentication uses Bearer token pattern for legitimate API calls only

✓ All capabilities are declared and aligned with documented behavior

✓ Skill uses mock mode by default, requiring explicit opt-in for live API calls

✓ No hidden functionality or undocumented behavior detected

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives